5 FreeBSD Racoon Configuration

To facilitate the negotiation of IPsec keys on the FreeBSD GW, the security/racoon port must be installed and configured.

The following is a racoon configuration file suitable for use with the examples outlined in this document. Please make sure you fully understand this file before using it in a production environment.

# racoon.conf for use with Check Point VPN-1/Firewall-1
#
# search this file for pre_shared_key with various ID key.
#
        path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
        log debug;
#
# "padding" defines some parameter of padding.  You should not touch these.
#
        padding
      {
        maximum_length 20;      # maximum padding length.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.
      }

        listen
      {
        #isakmp ::1 [7000];
        #isakmp 0.0.0.0 [500];
        #admin [7002];          # administrative port by kmpstat.
        #strict_address;        # required all addresses must be bound.
      }
#
# Specification of default various timers.
#
        timer
      {
#
# These values can be changed per remote node.
#
        counter 5;              # maximum trying count to send.
        interval 20 sec;        # maximum interval to resend.
        persend 1;              # the number of packets per a send.
#
# timer for waiting to complete each phase.
#
        phase1 30 sec;
        phase2 15 sec;
      }

        remote anonymous
      {
        exchange_mode aggressive,main; # For Firewall-1 Aggressive mode

        #my_identifier address;
        #my_identifier user_fqdn "";
        #my_identifier address "";
        #peers_identifier address "";
        #certificate_type x509 "" "";

        nonce_size 16;
        lifetime time 10 min;   # sec,min,hour
        lifetime byte 5 MB;     # B,KB,GB
        initial_contact on;
        support_mip6 on;
        proposal_check obey;    # obey, strict or claim

        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group 2 ;
        }
      }

        sainfo anonymous
      {
        pfs_group 1;
        lifetime time 10 min;
        lifetime byte 50000 KB;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate ;
      }

Ensure that the /usr/local/etc/racoon/psk.txt file contains the pre-shared secret configured in the “Firewall-1 Network Object Configuration” section of this document and has mode 600 permissions.

# chmod 600 /usr/local/etc/racoon/psk.txt

This, and other documents, can be downloaded from ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/.

For questions about FreeBSD, read the documentation before contacting <questions@FreeBSD.org>.
For questions about this documentation, e-mail <doc@FreeBSD.org>.